CVE-2026-4030

wpengine · Database Backup for WordPress

The Database Backup for WordPress plugin is vulnerable to unauthorized arbitrary file read and deletion due to a missing authorization check.

Executive summary

A critical vulnerability in the Database Backup for WordPress plugin allows unauthenticated attackers to read or delete arbitrary files on the server.

Vulnerability

This is a missing authorization vulnerability (CWE-862) within the plugin, allowing unauthenticated remote attackers to perform unauthorized file operations, including reading sensitive configuration files or deleting critical system data.

Business impact

Successful exploitation allows an attacker to compromise the integrity and confidentiality of the WordPress installation. With the ability to read arbitrary files, attackers may exfiltrate database credentials or sensitive configuration files, while file deletion capabilities can lead to a complete denial-of-service or system instability. The CVSS score of 8.1 reflects the high severity of potential impact on system availability and data integrity.

Remediation

Immediate Action: Update the "Database Backup for WordPress" plugin to version 2.5.3 or later immediately.

Proactive Monitoring: Review web server access logs for anomalous requests targeting plugin-specific PHP files or directories, particularly those involving unexpected file system paths.

Compensating Controls: If immediate patching is not possible, disable the plugin entirely until an update can be applied to prevent unauthorized access.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

The vulnerability represents a significant risk to site integrity. Administrators should prioritize the update to version 2.5.3 immediately to close the authorization gap and prevent potential file system manipulation by unauthorized parties.